Password Reset Email Link Opens Wrong Page

Problem:

After receiving the password reset email and clicking the "Click Here" hyperlink, user is returned to the "Expired or Forgotten Password" page instead of arriving at the page to enter the new password.

 

The link in the email contains a one-time token meaning that if anyone goes to that specific URL the link will no longer work and the user is redirected to the password reset request page instead. On investigating this issue, we have found that McAfee Antivirus contains a default setting called ClickProtect which validates the URL but at the same time expends the one-time token. Other antivirus software may have a similar feature.

 

Solution:

Per McAfee's own discussion thread on the subject there is no global allow-list to add our domain and the Sender Allow list does not affect ClickProtect. The only solution they offer is to disable ClickProtect. Outside of that the only other solution we can offer is to have your Web Administrator update your account in the Member's Area and change your email address to an alternatice that would not be affected by ClickProtect (eg. a Gmail account).  Our understanding is that McAfee intends to address this issue in a future release, but that update will be on that vendor's timeline which we cannot control or predict.

 

Other Possible Causes:

A similar problem has been observed by users of Internet Explorer 9.  The recommended solution is to use an  up-to-date version of an alternate browser such as Chrome or Firefox.  Support for Internet Explorer 9 has been deprecated by Microsoft and only applies to a few older operating systems such as Windows Vista or Windows Server 2008.  

 

Have more questions? Submit a request

Comments

  • Avatar
    Ted Kreider

    From McAfee's discussion thread:

    "The options for resolution are whitelisting the URL on the ClickProtect Allow List, or, disabling ClickProtect for specific users or the domain, the latter only being the recommended option if it's determined that the service is not compatable with a particular organization."

  • Avatar
    Ted Kreider

    Vermont Oxford Network is working on a possible solution to this issue as a revision to our own "forgot password" recovery process. If you or other staff at your center are having difficulty with this issue, please contact support@vtoxford.org. We may not have another option available yet but we do want to keep track of the burden this issue represents for our membership. Thank you.

  • Avatar
    Ted Kreider

    Additional information on safelisting sites for ClickProtect is here: https://support.mcafeesaas.com/MCAFEE/_cs/AnswerDetail.aspx?sSessionID=&aid=65895

  • Avatar
    Ted Kreider

    General Article on ClickProtect work-arounds from Mcafee:
    https://support.mcafeesaas.com/MCAFEE/_cs/AnswerDetail.aspx?sSessionID=&aid=207044